Businesses in Europe have been in the firing line of GDPR since 2020. In December 2020, Facebook set aside €302 million for possible GDPR fines as it is currently subject to investigations by the Irish Data Protection Commission. The same month, France levied the €100 million GDPR fine on Google for placing cookies on users’ devices without their consent. The year 2021 is no different and Big Tech continues to face the heat of regulators in Europe, with the recent colossal fines of €746 million and €225 million on Amazon and Whatsapp respectively.
Since its enforcement in May 2018, GDPR authorities have imposed over €1.2 billion in fines, according to the estimates by Privacy Affairs. With a record fine to Amazon, Luxemburg tops the list with the highest aggregate fines of more than €746 million, followed by Italy with €84 million, France and Germany.
Broadly speaking, there are two levels of GDPR fines. The regulatory authorities calculate the fines based on several criteria (read here). The lower level GDPR fine covers up to €10 million or 2% of worldwide annual income for the previous year, whichever is higher. The higher level of fine covers up to €20 million or 4% of worldwide annual income, whichever is higher.
We’ve looked at the biggest GDPR fines in 2018 and 2019. To keep up with GDPR fines of 2020 and 2021, read on.
GDPR Fines of 2020 and 2021
1. Amazon, €746 million
Amazon Europe Core faces a record €746 million ($886.6 million) fine from the European Union for violating the GDPR. The Luxembourg National Commission for Data Protection (CNPD) imposed the fine in a July 16 decision, which was disclosed by Amazon in a regulatory filing. The Luxembourg fine dwarfs anything that has been imposed before, making it the biggest GDPR fine ever.
Since Amazon’s European headquarters is stationed in Luxembourg, the regulator handled the proceedings against the company but hasn’t publicized the details of the violations. In response to the fine, Amazon has stated that they plan to appeal and that it intends “to defend ourselves vigorously in this matter.”
2. WhatsApp, €225 million
Facebook-owned WhatsApp has been fined €225m ($266 million) by Ireland’s data protection watchdog for breaching the GDPR. Ireland’s Data Privacy Commissioner (DPC), the lead regulator for Facebook, announced the decision that the fine relates to an investigation from 2018, noting that WhatsApp has not been transparent enough about how it handles information.
3. Google, €100 million
In December 2020, French data regulator CNIL fined €60 million on Google LLC and €40 million on Google Ireland for violating the GDPR and French Data Protection Act. The fine was levied for placing advertising cookies on the computers of users without obtaining prior consent and without providing adequate information about the same.
In January 2019, Google was fined €50 million by CNIL for violating the GDPR norms. The fine was issued for Google’s limited information, lack of transparency, and lack of valid consent from users for personalized ads. Google challenged the verdict, but in June 2020, the Council of State in France rejected the appeal and upheld the penalty.
4. Amazon, €35 million
5. H&M, €35.3 million
In October 2020, the Data Protection Authority of Hamburg, Germany, fined clothing retailer H&M €35.3 million for employee surveillance. It is the largest fine issued for an employment-related breach since the GDPR came into force.
A 2019 data breach revealed that H&M created and maintained profiles of the private lives of employees at their Nuremberg service centre for at least five years. The violations included recording personal information from informal conversations, including details of holidays, medical symptoms and diagnoses for illnesses and religious beliefs.
6. TIM, €27.8 million
In January 2020, the Italian Data Protection Authority (Garanate) imposed a €27.8 million GDPR fine on telecommunications operator TIM for violation of the GDPR guidelines. The fines were issued for unauthorized data processing activities, aggressive marketing strategy, invalid collection of consent and excessive data retention period.
From January 2017 to 2019, Garante received several hundreds of complaints regarding aggressive promotional campaigns of TIM. Millions of users were flooded with cold calls and unsolicited communications, including non-customers and users in the excluded list.
7. British Airways, €22 million
In October 2020, the UK’s Information Commissioner’s Office (ICO) fined British Airways a €22 million (£20 million) fine for the 2018 data breach. The breach affected both the personal and credit card data of more than 400,000 customers. The data stolen included employee login credentials, payment card numbers and travel booking details as well as names and addresses.
The ICO imposed a considerably smaller fine than the £183 million fine that was originally issued in 2019. It noted that “the economic impact of Covid-19” was taken into account for this decision. However, it is still the largest fine issued by the data protection authority to date.
8. Marriott International, €20.4 million
ICO fined Marriott International £18.4 million for breach of customers’ personal data. The fine is related to a data breach suffered after the 2014 cyber attack on Mariott’s Starwood chain. The incident wasn’t discovered until November 2018. The breach included names, email addresses, phone numbers, unencrypted password numbers, arrival/ departure information, guests’ VIP status and loyalty programme membership numbers.
As per the ICO, the breach is estimated to have affected seven million guest records of customers in the UK. Similar to the British Airways fine, owing to the pandemic, ICO reduced the fine from £99 million that it initially issued in July 2019.
9. Wind Tre, €16.7 million
In July 2020, Garante fined over €16.7 million on Wind Tre, a mobile telecoms operator, for aggressive direct marketing techniques that violated the GDPR. The company used customers’ personal data without their consent for unsolicited communications through SMS, email, phone calls, and automated calls.
10. Vodafone, €12.25 million
In November 2020, the Italian Data Protection Authority (Garante) issued a €12.25 million GDPR fine to telecommunications company Vodafone Italia. The company was fined for aggressive telemarketing practices.
After receiving complaints of unsolicited calls from Vodafone, the Garante launched an investigation. It found that Vodafone’s customer information storage system had multiple flaws. The company also purchased contact lists of over 4.5 million people from external providers without proper consent.
Vodafone is also banned from further processing data for marketing or commercial purposes with data acquired from third parties without user consent. This is the third-largest fine the Italian Garante has issued so far, after the €27.8 million for TIM and €16.7 million for Wind Tre.
11. EGL, €11.5m
In January 2020, Italian data protection watchdog Garante fined Eni Gas e Luce (EGL) with an €11.5 million penalty. The Italian electricity and gas supplier was fined for the illegal processing of personal data and unsolicited contracts.
The first fine of €8.5 million was served for illegally processing personal data for telemarketing. EGL made marketing calls to customers that had opted out of receiving such promotional calls.
The second fine of €3 million was imposed based on the alleged breaches due to unsolicited contracts in the free market that affected 7200 customers.
12. Notebooksbilliger.de, €10.4 million
In January 2021, the German data regulator of Lower Saxony fined a German laptop retailer Notebooksbilliger.de for €10.4 million. The penalty was imposed for monitoring employees through constant video surveillance at all times for the past two years without a legal basis.
Cameras were installed in the employees’ common areas, workplace, warehouse, and sales points. The company also recorded customers without their consent by placing cameras in specific places such as seating areas or sales rooms where customers tested the products.
This is the second fine issued by the Hamburg-based data regulator for employee surveillance after it fined H&M in 2020.
13. Google, €7 million
Google makes it to the list again. In March 2020, the Swedish Data Protection Authority (SDPA) fined Google for “failure to comply” with the GDPR. The internet giant was fined for failing to remove search result links under GDPR’s right to be forgotten. This is the second-largest fine for Google, after the €100 million issued by the French CNIL.
In 2018, the DPA received complaints about Google’s non-compliance with the previously issued order that required them to remove several search result listings. So, the DPA initiated a follow-up audit in 2018.
The Authority found that Google did not properly remove two of the search result listings that the DPA had ordered them to remove back in 2017. The DPA also requires Google to stop informing website owners of delistings as this may give site owners information about the person who requested the delisting.
14. Caixabank, €6 million
The bank also provided insufficient information about the category of personal data processed, user profiles, the legal basis of processing as well as the exercise of rights and data retention periods. Additionally, the company also failed to meet the requirements of valid consent and there were “deficiencies in the processes enabled” to obtain such consent.
15. BBVA, €5 million
BBVA failed to obtain consent before the sending of promotional SMS messages to a customer and did not have a specific mechanism for obtaining user consent. Besides, BBVA was also fined for the illicit transfer of personal data to the group companies.
This is the second biggest fine imposed by Spain and it shares many similarities with the fine imposed on Caixabank. The two record fines suggest a significant toughening of the approach on GDPR by Spain.
16. AOK, €1.24 million
In June 2020, the Data Protection Authority of Germany issued a €1.24 million fine on health insurance company Allgemeine Ortskrankenkasse (AOK). The fine was levied for the lack of technical and organizational measures required under Art. 32 GDPR.
Between 2015 and 2019 the AOK organised lotteries and collected personal data of the participants, including their contact details and current health insurance affiliations. The company used this data of individuals for advertising purposes. The DPA found that AOK processed the data of 500 people without their consent.
The investigation also found AOK did not have the proper measures in place to conduct such activity.
17. BKR, €830,000
In August 2020, the Dutch Data Protection Authority imposed its largest GDPR fine of €830,000 to date to Dutch Credit Registration Bureau (BKR). The fines were issued for non-compliance with the right to data subject requests of the GDPR between May 2018 and March 2019.
The Dutch DPA found that BKR had infringed the principles of Article 12 by charging a fee to data subjects wishing to access personal data in a digital format. BKR only provided free of charge access to their data once a year via post, therefore discouraging data subjects to file an access request.
GDPR Cookie Fines
The trend continued when CNIL issued fines against Carrefour for GDPR non-compliance including cookie consent violations. It imposed a fine of €2,250,000 on Carrefour France and €800,000 on Carrefour Banque. The violations included Carrefour websites automatically placing cookies without consent and using the cookies for advertising purposes.
With CookieYes, you can scan your website for cookies and add them to your site’s list of cookies.
You can easily add a fully customizable cookie consent banner and make it available in 30+ languages.
In the consent log dashboard, you can also access a record of users’ consents and their cookie preferences. This can help you demonstrate your compliance during audits.
Sign up for free today!